Dave, Thunderbird didn't seem to like your HTML mail, it wouldnt wrap the HTML and so the lines were veeerrrryyyyy long. Anyway, a couple of comments: I disagree that replication services need to enforce common security levels for replicas. If I have read access to a file, I can copy it and set its access to whatever I want. If that is important data, it is assumed that since I have read access I will take care of it. A community may wish to impose consistent access rights across replicas, but that is a policy issue not something inherent in replication services. As to the federated security model, I again dont think that is necessary, if I access n different sites, I have to do n authentication and authorization checks and if any one of them fails the access fails. This does imply some things about uniform identity, they all trust the same CAs, even that they are all using the same security mechanism. It would also be a major pain to debug access problems, particularly if the system is dynamically choosing the resource so you dont even know where are accessing things. I suppose it might be possible to query your rights across all the resources and present a federated access rights list that was the least common denominator. The idea of users not wanting anyone, including admins knowing what they have stored is a security concern. How do we know that they are not storing stolen top secret information or that they are actually running bomb design software. I dont subscribe to this, but I have heard this argument from security folks before. Bill -- William E. Allcock Argonne National Laboratory Bldg 221, Office C-115A 9700 South Cass Ave Argonne, IL 60439-4844 Office Phone: +1-630-252-7573 Office Fax: +1-630-252-1997 Cell Phone: +1-630-854-2842